diff options
| author | Kim Motoyoshi Kalland <kim.kalland@nokia.com> | 2010-09-27 11:34:59 (GMT) |
|---|---|---|
| committer | Kim Motoyoshi Kalland <kim.kalland@nokia.com> | 2010-09-28 16:20:37 (GMT) |
| commit | 6368ca1c36488d1297c768a5fae52f65bb5b91be (patch) | |
| tree | 542a220d2edfddd2095f1479ae1a024b70402abd /src | |
| parent | e355a8073881cb9e5cce87b0e498d7f22b7d83ce (diff) | |
| download | Qt-6368ca1c36488d1297c768a5fae52f65bb5b91be.zip Qt-6368ca1c36488d1297c768a5fae52f65bb5b91be.tar.gz Qt-6368ca1c36488d1297c768a5fae52f65bb5b91be.tar.bz2 | |
Fixed potential crash when loading corrupt GIFs.
Task-number: QTBUG-13774
Reviewed-by: aavit
Diffstat (limited to 'src')
| -rw-r--r-- | src/gui/image/qgifhandler.cpp | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp index 124d27b..a050baf 100644 --- a/src/gui/image/qgifhandler.cpp +++ b/src/gui/image/qgifhandler.cpp @@ -505,17 +505,26 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, code=oldcode; } while (code>=clear_code+2) { + if (code >= max_code) { + state = Error; + return -1; + } *sp++=table[1][code]; if (code==table[0][code]) { state=Error; - break; + return -1; } if (sp-stack>=(1<<(max_lzw_bits))*2) { state=Error; - break; + return -1; } code=table[0][code]; } + if (code < 0) { + state = Error; + return -1; + } + *sp++=firstcode=table[1][code]; code=max_code; if (code<(1<<max_lzw_bits)) { |